Should You Disable Java on Your Computer?

Computers come equipped with many pieces of software and programming platforms that most of us don't know we have and don't know what they're for.

One of those programming platforms, Java, has been in the news lately because of its security problems involving the Apple Macintosh operating system, Mac OS X. It's caused many headaches for Windows users as well.\

Java was first introduced by Sun Microsystems in 1995 as a self-contained platform to create and run thousands of computer applications.

"Java creates an environment for code to run regardless of the operating system, so software developers that write code in the Java programming language can run their programs on pretty much any operating system, including Microsoft Windows, Apple OS X, Linux and UNIX variants," explained Marcus Carey, security researcher at Boston's Rapid7. "Normally you'd have to write an application per operating system."

Litany of woe

Java has a long history of security vulnerabilities, which are now coming to the public's attention because of the widespread infection of Macs in late March by the Flashback, also called Flashfake, malware family.

Java was bundled into Apple's Mac OS X 10.6 Snow Leopard by default, and kept on if a Mac user upgraded his machine from Snow Leopard to Mac OS X 10.7 Lion. (Java is not bundled into "clean" installations of Lion, but can be added later.)

"Later on in the distributions [of Flashfake variants], the Flashfake operators abused the vulnerabilities in those Java installs and new installs by delivering Java exploits from malicious websites," said Kurt Baumgartner, senior security researcher with Moscow-based Kaspersky Lab. "In many cases, [the malware operators] simply tricked the users into believing that their Java web applets were actually Java software updates from Apple, Inc."

Java is a favorite target of cybercriminals because it is so easy to exploit, and also because users are frequently using outdated versions of it.

"Java vulnerabilities are addressed in every single major exploit pack available through underground markets, such as the Blackhole exploit pack, Eleonore pack and Crimepack, among others," Catalin Cosoi of Bucharest, Romania's Bitdefender said. "This makes Java exploitation as simple as it gets, even if the attacker has no technical skills at all."

Patch or disable?

The big problem is that Java installations aren't being patched, Carey said, which is a problem that can be traced back to three main issues.

First of all, organizations are often unaware of the security implications of not patching their software. Second, if software that an organization depends on was written using older versions of Java, upgrading Java may cripple or altogether disable that software.

Third, many users aren't aware that Web browsers are configured with Java plug-ins enabled, which makes them susceptible to drive-by malware attacks targeting older versions of Java. This happens with Flashback. (Java shouldn't be confused with JavaScript, an unrelated language used for enabling features on web pages.)

At one time, Java was absolutely necessary if you wanted to be able to use your computer for, well, just about everything. Today there is less need for it. A growing number of security experts recommend not installing Java if you don't already have it, and perhaps even getting rid of it if you do.

You can see whether your browser is running Java at http://www.java.com/en/download/testjava.jsp. This will allow you to check if your browser has Java enabled, and if so, which plug-in version is it running. If your plug-in is out of date, updates are free to download and install.

Knowing if your computer actively uses Java for other applications, however, is a little tougher.

"It's like asking 'What open-source libraries or code are you using on your system?'" Baumgartner said.

In Mac OS X, you can check by going into Applications → Utilities and looking for an application called "Java Preferences." If it's not there, you don't have Java installed; if is, you can open the application and uncheck all options to disable Java entirely.

In Windows, go to Start → Settings → Control Panel → Java Control Panel and go to the Advanced tab to disable Java.

Perhaps the easiest way to tell whether or not you need Java is to first disable it entirely. If you regularly use an application or visit a Web site that requires Java, your system or the site will prompt you that you need to install or re-enable Java. You may find that you don't need it and don't miss it.

On the other hand, if you do use applications that require Java — such as programs in the Adobe Creative Suite like Photoshop, Illustrator or InDesign — "responsible" use of Java will let you use them without putting your computer at risk.

How to live with Java

According to Cosoi, there are two important rules every Java user should obey.

First, always keep Java up to date. Whenever you're prompted to update it, install the patch as soon as possible. The smallest delay can expose you to malware.

Second, set aside one browser for websites that absolutely require Java, and disable the Java plug-in on all other browsers. Use the other browsers for everything else, for example checking your email or reading the news.

This way, if you land on a compromised website that's trying to exploit a Java flaw, odds are you'll be protected.

If you're still concerned about security and Java, the easiest way to see if you are susceptible to Java drive-by attacks is to visit Rapid7's www.IsJavaExploitable.com. It'll tell you right away if your Java's up to date.

"There have been some pretty interesting applications developed in Java," Baumgartner said.

He doesn't think that it's necessary to uninstall Java to keep your computer secure. Instead, Baumgartner said, we're best off remembering to keep on top of those Java alerts to upgrade.

"Upgrading the software on our systems is an important habit to learn," he said.